Certificate issue in Palo alto firewall


We are created the Virtual host on CentOS 8 . The domain name was configured in noip.com. we can able to download the CSR certificate while we uploading the certificate in the firewall. It is shows as an R3 certificate. It doesn't have any CA name to get sign from external authority because of the issue the certificate is only valid for firewall device itself. we wouldn't able to access the GP clients using this certificate. Kindly give some suggestions regarding this issue.

My domain is testpaloalto.ddns.net

Thanks & Regards

1 Like

Hello @Cybersecon, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here is a list of issued certificates crt.sh | testpaloalto.ddns.net
The one certificate was issued 2023-03-05

For more details on chains see Long (default) and Short (alternate) Certificate Chains Explained

1 Like

R3 is the intermediate CA currently used by LE.
Certificate files don't normally come with the trusted root cert.
[all trusted root certificates should only be provided by the OS and any such updates]
R3 chains to a trusted root.

Please better explain the problem you are having.


If you have such a firewall in between your web servers and the Internet (especially a "web application firewall" or "WAF"), and you're having trouble getting or renewing a Let's Encrypt certificate, you should modify your firewall policies and enable acme-protocol connections from the Internet to your servers. The connections in question are only one specific portion of the ACME protocol, but this is apparently the term that now Palo Alto uses in its configuration to refer to them.

after doing thing quote said, run acme client on webserver itself.


@orangepizza, they were able to get the cert - see pic in OP.
Albeit via CSR file and probably some manual method.

There issue is unclear.

But you may be right; It might be that ACME-Protocol issue.


certificate is only valid for firewall device itself.

there is alto firewall in front of centos VM, and cert he see is just for name of firewall itself, in firewall
if he wanted to get a certificate oneself than he should get a new certificate


What are "GP clients"?


Supplemental information, there are no Ports Open.

$ nmap -Pn testpaloalto.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-06 01:18 UTC
Nmap scan report for testpaloalto.ddns.net (
Host is up.
All 1000 scanned ports on testpaloalto.ddns.net ( are filtered

Nmap done: 1 IP address (1 host up) scanned in 202.05 seconds

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: testpaloalto.ddns.net

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): CentOS 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

1 Like

From here Chain of Trust - Let's Encrypt

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.